Have I Been Pwned?
Bittylicious is now integrated with the excellent have i been pwned service created by well known security expert, Troy Hunt. This service collates used passwords from breaches and dumps when company data has been compromised.
For each user that newly logs in, Bittylicious will interrogate with the service to determine whether the password being used by the Bittylicious user is one that is commonly used and has been listed in one of many breaches. This means that from now onwards:
- Users will not be able to change their password to one that is very well known, i.e. used regularly by many others and appears in multiple lists.
- Privileged users (brokers and administrators) will not be able to use the service if their password is in any single list at all; the password will need to be changed before the service can be used.
We also intend on making other changes in the future, e.g. possibly decreasing limits if the account is more likely to be compromised, but we will assess the impact this has first.
If you’re a developer with any sort of sensitive service, consider also integrating. It’s a great project and a useful tool in the arsenal against compromised accounts.